In an authorization procedure, there may be a need to identify a person as being authorized to engage in an activity. For example, the activity may be authorizing a financial transaction, gaining access to sensitive information, or entering secure location. Often, the authorization procedure is performed by comparing database information to information carried on an identification card, or another man-made token. If information on the token matches information in the database, the activity is authorized. For example, when a person desires to purchase groceries, he may present a credit card. If the credit card information matches to information in a database, the purchase is authorized. Such token-based authorization systems are problematic because the token may be stolen and used by an unauthorized person.
Some authorization systems require the user to remember one or more codes. For example, to gain access to a secure room, a person is often required to enter a combination before the door will unlock. Such a system is an example of a purely knowledge-based system since authorization is dependent only on the user's knowledge of the combination. Knowledge-based authorization systems are problematic in that many people have trouble remembering the authorization code. Further, the authorization code may be discovered by unauthorized persons, and later used to gain authorization.
Other types of systems combine features of a token-based system with features of a knowledge-based system. An example is a system that allows the purchase of goods using a debit card. Use of the debit card to authorize the purchase of goods may require the user to provide a man-made token in the form of a plastic card, and may also require the user to provide an identification number before the user is authorized to use the corresponding debit account to purchase goods. Such systems may be more secure than purely token-based systems or purely knowledge-based systems, but they are still highly susceptible to use by unauthorized persons, and may require the authorized user to have a good memory.
The physiological and/or behavioral characteristics of an individual are often referred to as “biometrics”, and biometrics may be used to identify a person as being someone authorized to engage in an activity. Authorization systems have employed biometrics along with tokens as a means for preventing the unauthorized use of tokens.
Recently, authorization systems have been provided which do not require any token, and instead rely entirely on a biometric. The biometric used by such authorization systems typically is a fingerprint, but some systems use a scanned image of the person's iris, hand geometry, or a palm print. Other types of biometrics may be used. Purely biometric-based systems are not fool proof. For example, a rubber duplicate of an authorized user's fingerprint may be made and used by an unauthorized person to gain authorization for an activity. Or, biometric based systems may erroneously believe an unauthorized person's fingerprint to be similar enough to an authorized user's fingerprint such that authorization is erroneously determined.
Therefore, some existing biometric-based systems require the user to provide an identification code (along with the biometric) in order for the user to be authorized to engage in the activity. Such systems combine features of biometric-based systems with features of knowledge-based systems, and as such, those systems have the problems associated with knowledge-based systems, even though they may provide a higher level of security.
The existing authorization systems require the user to posses a token or remember a code and/or provide an insufficient level of security for society's current needs. A more secure system of authorizing an activity is needed.